No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR500, AR510, and AR530 V200R007 Commands Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
PKI Configuration Commands

PKI Configuration Commands

NOTE:

Among the AR500 series routers, only AR502G-L-D-H, AR502GR-L-D-H do not support PKI.

admin-dn

Function

The admin-dn command configures the administrator distinguished name (DN) of an LDAP server on the device.

The undo admin-dn command deletes an administrator DN of an LDAP server from the device.

By default, the administrator DN of the LDAP server is not configured on the device.

Format

admin-dn dn-string

undo admin-dn

Parameters

Parameter

Description

Value

dn-string

Indicates the administrator DN of an LDAP server.

The value is a string of 1 to 256 case-sensitive characters.

Views

LDAP server template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The admin-dn and admin-password commands configure the administrator DN and password for an LDAP server respectively. An LDAP client is bound to the LDAP server through the administrator DN and password. When an LDAP client is successfully bound to the server, the client sets up a connection with the server and obtains the management rights of the server.

Configuration Notes

If you run the admin-dn command multiple times in the same LDAP server template view, only the latest configuration takes effect.

Note the following points:
  • The administrator DN configured on the device must be the same as that configured on the LDAP server.
  • If the administrator DN of an LDAP server is modified, the new DN only takes effect for later LDAP authentications.

Example

# Set the administrator DN of an LDAP server to test@123.

<Huawei> system-view
[Huawei] ldap-server template huawei
[Huawei-ldap-template-huawei] admin-dn test@123

admin-password

Function

The admin-password command configures the administrator password of an LDAP server on the device.

The undo admin-password command deletes the administrator password of an LDAP server from the device.

By default, the administrator password of the LDAP server is not configured on the device.

Format

admin-password password

undo admin-password

Parameters

Parameter

Description

Value

password

Indicates the administrator password of an LDAP server.

The value is a string of 1 to 63 case-sensitive characters.

Views

LDAP server template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The admin-dn and admin-password commands configure the administrator DN and password for an LDAP server respectively. An LDAP client is bound to the LDAP server through the administrator DN and password. When an LDAP client is successfully bound to the server, the client sets up a connection with the server and obtains the management rights of the server.

Configuration Notes

  • If you run the admin-password command multiple times in the same LDAP server template view, only the latest configuration takes effect.

  • This command can take effect only after the admin-dn command has been executed.

  • The password is stored in the configuration file in cipher text no matter whether the password is configured in plain-text or cipher-text mode.

  • The administrator password configured on the device must be the same as that configured on the LDAP server.

Example

# Set the administrator password of an LDAP server to Huawei@2012.

<Huawei> system-view
[Huawei] ldap-server template huawei
[Huawei-ldap-template-huawei] admin-password Huawei@2012 

authentication-server

Function

The authentication-server command configures the IP address and port number of an LDAP server on the device.

The undo authentication-server command deletes the IP address and port number of an LDAP server from the device.

By default, the IP address and port number of the LDAP server are not configured on the device.

Format

authentication-server ip-address [ port-number ]

undo authentication-server ip-address

Parameters

Parameter

Description

Value

ip-address

Indicates the IP address of an LDAP server.

The value is in dotted decimal notation.

port-number

Indicates the TCP port number used by an LDAP server.

The number is an integer that ranges from 1 to 65535, and the default value is 389.

Views

LDAP server template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In a PKI system, the CRLs are usually stored on an LDAP server. When a device needs to verify a certificate through CRL, you must configure the IP address and port number for the LDAP server in the LDAP server template view so that the device can access the LDAP server and obtain CRL as an LDAP client.

Configuration Notes

If you run the authentication-server command multiple times in the same LDAP server template view, only the latest configuration takes effect.

Note the following points:
  • The port of LDAP server configured on the device must be the same as the port actually used by the LDAP server.
  • If the IP address or port number of an LDAP server is modified, the new IP address or port number only takes effect for later LDAP authentications.

Example

# Set the IP address and port number of an LDAP server to 202.102.3.45 and 4300 respectively.

<Huawei> system-view
[Huawei] ldap-server template huawei
[Huawei-ldap-template-huawei] authentication-server 202.102.3.45 4300

auto-enroll

Function

Using the auto-enroll command, you can enable automatic certificate enrollment and update.

Using the undo auto-enroll command, you can disable automatic certificate enrollment and update.

By default, the automatic certificate enrollment and update function is disabled on the device.

Format

auto-enroll [ percent ] [ regenerate ]

undo auto-enroll

Parameters

Parameter

Description

Value

percent

Specifies the percentage of the certificate's validity period after which a new certificate is requested automatically.

The value is an integer that ranges from 10 to 100.

The default value is 100. When the old certificate expires, the system requests a new certificate.

regenerate

Determines whether to support the key rollover function.

When the key rollover function is enabled, the system regenerates a pair of keys during certificate update and replaces the existing private and public keys with the new pair of keys. If the key rollover function is disabled. The system does not regenerate a pair of keys and uses the existing private and public keys to request a certificate.

-

Views

PKI domain view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Automatic certificate enrollment: A PKI device uses the Simple Certification Enrollment Protocol (SCEP) to request a certificate from a CA when the configuration required for certificate enrollment is complete but no local certificate is available. When the certificates are unavailable, will expire, or have expired, an entity automatically requests a new certificate or renews the certificate using the Simple Certification Enrollment Protocol (SCEP).

By default, the automatic certificate enrollment and update function is disabled. When a certificate has expired, you must use the pki get-certificate command to request a certificate for an entity. You can still use the pki get-certificate command to request a certificate for an entity when the automatic certificate enrollment and update function is enabled.

Precautions

If this command is not executed to enable automatic certificate enrollment and update , when an application, such as IPSec, needs to obtain a certificate through PKI, the device does not automatically apply a certificate for the CA server. In addition, when a certificate expires, the device does not automatically renew the certificate from the CA server.

Example

# Enable automatic certificate enrollment and update for the PKI domain abc.

<Huawei> system-view
[Huawei] pki realm abc
[Huawei-pki-realm-abc] auto-enroll 50 regenerate
Related Topics

ca id

Function

Using the ca id command, you can specify a certificate authority (CA) trusted by a PKI domain.

Using the undo ca id command, you can delete the CA trusted by a PKI domain.

By default, no trusted CA is specified on the device.

Format

ca id ca-name

undo ca id

Parameters

Parameter

Description

Value

ca-name

Specifies the name of a CA trusted by a PKI domain.

The value is a string of 1 to 63 case-sensitive characters that can contain spaces.

Views

PKI domain view

Default Level

2: Configuration level

Usage Guidelines

After the ca id command is executed to specify the CA trusted by the device, the CA then requests, obtains, revokes, or queries the device's certificate.

Example

# Specify the CA root_ca trusted by the PKI domain abc.

<Huawei> system-view
[Huawei] pki realm abc
[Huawei-pki-realm-abc] ca id root_ca

cdp-url

Function

Using the cdp-url command, you can configure the CRL distribution point (CDP) URL.

Using the undo cdp-url command, you can delete the configured CDP URL.

By default, no CDP URL is configured on the device.

Format

cdp-url cdp-url

undo cdp-url

Parameters

Parameter

Description

Value

cdp-url

Specifies the CDP URL.

The value is a string starting with http:// and consisting of 1 to 127 case-sensitive characters without spaces.

Views

PKI domain view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In the public key infrastructure (PKI), a CA issues a certificate revocation list (CRL) to notify users of the certificates that are revoked because the user identity, user information, public key, or affiliation of CAs changes, the private key of the user or CA is compromised, or the user's service ceases. After a certificate is revoked, the corresponding public key is unbound from the user identity.

Clients use CRLs to check validity of certificates. When verifying a server's digital certificate, a client checks the CRL. If the certificate is in the CRL, the client considers the certificate invalid.

A CDP is a location from which a CRL is obtained. It is specified in a digital certificate. A CDP is a uniform resource locator (URL) in the Hypertext Transfer Protocol (HTTP) or Lightweight Directory Access Protocol (LDAP) format, an LDAP directory, or a URL of another type.

Configuration Impact

The cdp-url command configures the CDP URL used to obtain the CRL issued by a CA in a PKI domain. The obtained URL will override the CDP URL carried in the certificate. If the certificate has no CDP information and the CDP URL is not configured on the device, the device requests the CRL from the CA server using SCEP.

Example

# Configure the CDP URL in the PKI domain abc.

<Huawei> system-view
[Huawei] pki realm abc
[Huawei-pki-realm-abc] cdp-url http://cacrl.huawei.com/CertEnroll/huaweica.crl
Related Topics

certificate-check

Function

Using the certificate-check command, you can set the certificate status check method.

Using the undo certificate-check command, you can restore the default certificate status check method.

By default, the device checks certificates using CRLs.

Format

certificate-check { crl | none | ocsp }

undo certificate-check

Parameters

Parameter

Description

Value

crl

Uses the CRL to check the certificate status.

-

none

Indicates that certificates are not checked.

-

ocsp

Uses OCSP to check the certificate status.

-

Views

PKI domain view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When an end entity verifies a peer certificate, it checks the status of the peer certificate. For example, the end entity checks whether the peer certificate expires and whether the certificate is in a CRL. An end entity uses any of the following methods to check the peer certificate status:

  • CRL

    If a CA supports CRL distribution points (CDPs), a certificate that the CA issues to an end entity contains the CDP information, specifying how and where to obtain the CRL for the certificate. The end entity then uses the specified method (HTTP or LDAP) to find the CRL from the specified location and download the CRL.

    If a CDP URL is configured in a PKI domain, the end entity bound to the PKI domain obtains the CRL from the CDP URL.

    • If the CDP information is contained in the certificate or configured on the end entity, the end entity uses the method specified in the CDP information to obtain the CRL.
    • If the CA does not support CDPs and no CDP URL is configured on the end entity, the end entity uses the SCEP protocol to obtain the CRL.

      The SCEP message sent by the end entity contains the certificate issuer name and certificate serial number. The SCEP mode is the default mode. The Hypertext Transfer Protocol (HTTP) mode is recommended when an end entity needs to obtain a large number of CRLs.

  • OCSP

    If a certificate does not specify any CDP and no CDP URL is configured in the PKI domain, an end entity can use the Online Certificate Status Protocol (OCSP) to check the certificate status.

  • None

    This mode is used when no CRL or OCSP server is available to an end entity or the end entity does not need to check the peer certificate status. In this mode, an end entity does not check whether a certificate has been revoked.

Follow-up Procedure

Run the pki validate-certificate command to check validity of certificates.

Example

# Set the certificate check method to none in the PKI domain abc.

<Huawei> system-view
[Huawei] pki realm abc
[Huawei-pki-realm-abc] certificate-check none

common-name

Function

Using the common-name command, you can configure a common name for a PKI entity.

Using the undo common-name command, you can delete the configured common name of a PKI entity.

By default, no common name is configured for a PKI entity on the device.

Format

common-name common-name

undo common-name

Parameters

Parameter

Description

Value

common-name

Specifies a common name for a PKI entity.

The value is a string of 1 to 31 case-sensitive characters.

The characters can be uppercase letters, lowercase letters, numerals, spaces, and special characters including ' = ( ) + . - / : .

Views

PKI entity view

Default Level

2: Configuration level

Usage Guidelines

After a PKI entity is created, you need to run this command to specify a common name for the PKI entity. The common name uniquely identifies a PKI entity.

Example

# Configure the common name hello for the PKI entity ra.

<Huawei> system-view
[Huawei] pki entity ra
[Huawei-pki-entity-ra] common-name hello
Related Topics

country

Function

Using the country command, you can configure a country code for a PKI entity.

Using the undo country command, you can delete the configured country code of a PKI entity.

By default, no PKI entity's country code is configured on the device.

Format

country country-code

undo country

Parameters

Parameter

Description

Value

country-code

Specifies the country code of a PKI entity.

The value is a string of two case-insensitive characters. For example, CN represents China and US represents United States.

Views

PKI entity view

Default Level

2: Configuration level

Usage Guidelines

The country command configures a country code for a PKI entity.

Example

# Configure the country code cn for the PKI entity ra.

<Huawei> system-view
[Huawei] pki entity ra
[Huawei-pki-entity-ra] country cn
Related Topics

crl cache

Function

Using the crl cache command, you can configure the device to use the buffered CRL.

Using the undo crl cache command, you can configure the device to retrieve the latest CRL each time.

By default, the device is permitted to use the buffered CRL in the PKI domain.

Format

crl cache

undo crl cache

Parameters

None

Views

PKI domain view

Default Level

2: Configuration level

Usage Guidelines

When the CRL is used to verify certificates, the CRL needs to be buffered in the memory of the device. By default, the device is permitted to use the buffered CRL in the PKI domain. If the device is not permitted to use the buffered CRL in the PKI domain, it needs to retrieve the latest CRL to override the buffered CRL.

Example

# Permit the device to use the buffered CRL in the PKI domain abc.

<Huawei> system-view
[Huawei] pki realm abc
[Huawei-pki-realm-abc] crl cache
Related Topics

crl update-period

Function

Using the crl update-period command, you can set the CRL update period.

Using the undo crl update-period command, you can restore the default CRL update period.

By default, the CRL is updated at the interval specified by the Next Update parameter in the certificate.

Format

crl update-period hours

undo crl update-period

Parameters

Parameter

Description

Value

hours

Specifies the CRL update interval.

The value is an integer that ranges from 1 to 720, in hours.

Views

PKI domain view

Default Level

2: Configuration level

Usage Guidelines

The CRL update period is the interval at which a PKI entity downloads a CRL from the CA/RA. The CA/RA does not issue the CRL to an entity. Instead, the entity initiates CRL query to obtain a CRL.

Example

# Set the CRL update period to 100 hours in the PKI domain abc.

<Huawei> system-view
[Huawei] pki realm abc
[Huawei-pki-realm-abc] crl update-period 100
Related Topics

display pki entity

Function

Using the display pki entity command, you can view the PKI entity information.

Format

display pki entity [ entity-name ]

Parameters

Parameter

Description

Value

entity-name

Displays the PKI entity information.

If this parameter is not specified, information about all PKI entities is displayed.

The value is a string of 1 to 15 case-sensitive characters without spaces.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display information about all PKI entities.

<Huawei> display pki entity
PKI Entity Information:
  Entity Name       :  cc
  Country Code      :  CN
  State             :  -
  Locality          :  N8
  Organization      :  -
  Organization Unit :  -
  Common Name       :  hello
  Fqdn              :  -
  Serial-number     : - 
  IP Address        :  -

  Entity Name       :  huawei
  Country Code      :  CN
  State             :  -
  Locality          :  abcd
  Organization      :  -
  Organization Unit :  -
  Common Name       :  hi
  Fqdn              :  -
  Serial-number     : - 
  IP Address        :  -

 Total Number : 2

# Display detailed information about the PKI entity huawei.

<Huawei> display pki entity huawei
 PKI Entity Information:
   Entity Name       :  huawei
   Country Code      :  CN
   State             :  -
   Locality          :  abcd
   Organization      :  -
   Organization Unit :  -
   Common Name       :  hi
   Fqdn              :  -
   Serial-number     : - 
   IP Address        :  -

 Total Number : 1
Table 14-105  Description of the display pki entity command output

Item

Description

Entity Name

PKI entity name.

Refer to entity to set this parameter.

Country Code

Country code of the PKI entity.

Refer to country to set this parameter.

State

State or province of the PKI entity.

Refer to state to set this parameter.

Locality

Geographic area of the PKI entity.

Refer to locality to set this parameter.

Organization

Organization of the PKI entity.

Refer to organization to set this parameter.

Organization Unit

Department of the PKI entity.

Refer to organization-unit to set this parameter.

Common Name

Common name of the PKI entity.

Refer to common-name to set this parameter.

Fqdn

Fully Qualified Domain Name (FQDN) of the PKI entity.

Refer to fqdn to set this parameter.

Serial-number

Serial number of the entity.

Refer to serial-number to set this parameter.

IP Address

IP address of the PKI entity.

Refer to ip-address (PKI entity view) to set this parameter.

display pki realm

Function

The display pki realm command displays PKI domain information.

Format

display pki realm [ pki-realm-name ]

Parameters

Parameter

Description

Value

pki-realm-name

Displays the detailed information about a PKI domain.

If the parameter is left blank, information about all PKI domains is displayed.

The PKI domain name must already exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display pki realm command displays PKI domain information.

Example

# Display information about all PKI domains.

<Huawei> display pki realm
PKI Realm Information:
 Realm Name : abc                                                               
  CA ID: root_ca                                                                
  Enrollment URL: http://10.137.145.158:8080/certsrv/mscep/mscep.dll            
  Certificate Request Interval(Minutes): 1                                      
  Certificate Request Times: 100                                                
  Enrollment Mode: RA                                                           
  Enrollment Method: SCEP                                                       
  Entity Name: -                                                                
  CA Certificate Fingerprint Arithmetic: sha1                                   
  CA Certificate Fingerprint: 7a34d94624b1c1bcbf6d763c4a67035d5b578eaf          
  OCSP URL: http://10.137.145.121:18081/ejbca/publicweb/status/ocsp             
  CDP URL: http://cacrl.huawei.com/CertEnroll/huaweica.crl                      
  Certificate Revocation Check Method: none                                     
  RSA Key Size: 2048                                                            
  Auto-enroll: Enable                                                           
  Auto-enroll percentage: 50%                                                   
  Auto-enroll regenerate: Enable                                                
  Password cipher: Enable                                                       
  Password: %^%#p~:85+zoaSytEeE:>bE%^Bj@%^%#
  Crl Update-period(Hours): 600                                                 
  Crl Cache: Enable                                                             
  Usage: SSL-client
  Vpn-instance: huawei
  Enrollment-request specific: Disable

 Realm Name : default
  CA ID: -
  Enrollment URL: -
  Certificate Request Interval: -
  Certificate Request Times: -
  Enrollment Mode: -
  Enrollment Method: Self-Signed
  Entity Name: -
  CA Certificate Fingerprint Arithmetic: -
  CA Certificate Fingerprint: -
  OCSP URL: -
  CDP URL: -
  Certificate Revocation Check Method: crl
  RSA Key Size: 2048
  Auto-enroll: Disable
  Password: -
  Crl Update-period(Hours): -
  Crl Cache: Enable
  Enrollment-request specific: Disable

 Total Number: 2

# Display detailed information about the PKI domain abc.

<Huawei> display pki realm abc
 Realm Name : abc                                                               
  CA ID: root_ca                                                                
  Enrollment URL: http://10.137.145.158:8080/certsrv/mscep/mscep.dll            
  Certificate Request Interval(Minutes): 1                                      
  Certificate Request Times: 100                                                
  Enrollment Mode: RA                                                           
  Enrollment Method: SCEP                                                       
  Entity Name: -                                                                
  CA Certificate Fingerprint Arithmetic: sha1                                   
  CA Certificate Fingerprint: 7a34d94624b1c1bcbf6d763c4a67035d5b578eaf          
  OCSP URL: http://10.137.145.121:18081/ejbca/publicweb/status/ocsp             
  CDP URL: http://cacrl.huawei.com/CertEnroll/huaweica.crl                      
  Certificate Revocation Check Method: none                                     
  RSA Key Size: 2048                                                            
  Auto-enroll: Enable                                                           
  Auto-enroll percentage: 50%                                                   
  Auto-enroll regenerate: Enable                                                
  Password cipher: Enable                                                       
  Password: %^%#p~:85+zoaSytEeE:>bE%^Bj@%^%#
  Crl Update-period(Hours): 600                                                 
  Crl Cache: Enable                                                             
  Usage: SSL-client
  Vpn-instance: huawei
  Enrollment-request specific: Disable

 Total Number: 1
Table 14-106  Description of the display pki realm command output

Item

Description

Realm Name

PKI domain name.

To configure the PKI domain name, run the pki realm (System view) command.

CA ID

ID of the CA associated with the PKI domain.

To configure the ID of the CA associated with the PKI domain, run the ca id command.

Enrollment URL

URL of the certificate registered with the SCEP server.

To configure the URL of the certificate registered with the SCEP server, run the enrollment-url to set this parameter.

Certificate Request Interval(Minutes)

Interval between two certificate enrollment status queries.

To set the interval between two certificate enrollment status queries, run the enrollment-url command.

Certificate Request Times

Maximum number of certificate enrollment status queries.

To set the maximum number of certificate enrollment status queries, run the enrollment-url command.

Enrollment Mode

Certificate enrollment mode.

To configure the certificate enrollment mode, run the enrollment-url command.

Enrollment Method

Certificate enrollment mode:
  • SCEP: The certificate is obtained from the CA through SCEP.
  • Self-Signed: A self-signed certificate is obtained.

To configure the certificate enrollment mode, run the enrollment self-signed command.

Entity Name

PKI entity name.

To configure the PKI entity name, run the entity command.

CA Certificate Fingerprint Arithmetic

Fingerprint algorithm of the CA certificate.

To specify the fingerprint algorithm, run the fingerprint command.

CA Certificate Fingerprint

Fingerprint of the CA certificate.

To configure the fingerprint, run the fingerprint command.

OCSP URL

OCSP server's URL.

To set the OCSP server's URL, run the ocsp-url command.

CDP URL

URL of the CDP.

To configure the CDP URL, run the cdp-url command.

Certificate Revocation Check Method

Certificate status check method.

To configure the certificate status check method, run the certificate-check command.

RSA Key Size

RSA key length.

To set the RSA key length, run the rsa-key-size command.

Auto-enroll

Whether automatic certificate enrollment is enabled.

To enable automatic certificate enrollment, run the auto-enroll command.

Auto-enroll percentage

Percentage of the certificate's validity period.

Auto-enroll regenerate

Whether the key rollover function is enabled.

Password cipher

Password in cipher text.

Password

Certificate revocation password.

To configure the certificate revocation password, run the password command.

Crl Update-period(Hours)

CRL update interval.

To set the CRL update interval, run the crl update-period command.

Crl Cache

Whether the buffered CRL can be used.

To configure the device to use the buffered CRL, run the crl cache command.

Usage

The usage information of the key to the certificate request packet.

To configure the usage information of the key, run the usage (PKI domain view) command.

Vpn-instance

VPN to which the PKI domain belongs.

To configure the VPN, run the vpn-instance (PKI domain view) command.

Enrollment-request specific

Certificate request packet of a specific format.

To set the packet format, run the enrollment-request specific command.

display pki certificate

Function

Using the display pki certificate command, you can view information about the CA certificate or local certificate.

Format

display pki certificate { ca | local | ocsp } pki-realm-name [ verbose ]

Parameters

Parameter

Description

Value

ca

Displays information about the CA certificate.

-

local

Displays information about the local certificate.

-

ocsp

Displays information about the OCSP certificate.

-

pki-realm-name

Specifies the PKI domain name of a certificate to be checked.

The PKI domain name must already exist.

verbose

Queries certificate details.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display pki certificate command displays information about the CA certificate or local certificate.

Example

# Display information about the CA certificate in the PKI domain abc.

<Huawei> display pki certificate ca abc
CA certificate
  Status : Available
  Version: 3
  Serial Number:
    14 75 6a 2b 31 6f ca 9a 4d d6 07 07 62 40 f9 54
  Subject:
    CN=CA_ROOT

  Associated Pki Realm : abc

Total Number: 1 

# Display information about the local certificate in the PKI domain abc.

<Huawei> display pki certificate local abc
Certificate
  Status : Available
  Version: 3
  Serial Number:
    61 2a 86 98 00 00 00 00 01 41
  Subject:
    C=CN
    L=N8
    CN=hello

  Associated Pki Realm : abc

Total Number: 1 

# Display detailed information about the local certificate in the PKI domain abc.

<Huawei> display pki certificate local abc verbose
Certificate
  Status : Available
  Version: 3
  Serial Number:
    61 2a 86 98 00 00 00 00 01 41
  Signature Algorithm: SHA1WITHRSA
  Issuer:
    CN=CA_ROOT
  Validity
    Not Before: 2011-08-01 11:05:34 GMT
    Not After : 2012-08-01 11:15:34 GMT
  Subject:
    C=CN
    L=N8
    CN=hello
  Subject Public Key Info:
    Public Key Algorithm : RSA
    RSA Public Key
           Modulus: ( 1024 bit )
             e6674bd6418ad79f  19de6b7e1a8db14c
             0ad2840d4e0d2cef  a0df3bab07f1013c
             334dd35aecf2ed8e  784dd313001cf3c9
             dafe55ccdb964515  e224c3de9aee19a6
             32d02e6f78cc0f64  9fb97188ab944b47
             ab54c9115ca39257  dbf6f78f76778a0c
             549b417c568f0561  e4b5bf842dfdca1a
             ca0aea69d86b1f98  2f51839abd8dabe3
           Exponent: 0x010001                                                   
  Key Usage: Not Set                                                            
  Subject Key Identifier:                                                       
    ebae3ff21827e787  60610dab18195af1  c871f30e                                
  Authority Key Identifier:                                                     
    e504ba834189cd51  de378dbec5f5d1db  c981a79c                                
  CRL Distribution Point:                                                       
  URL=http://huawei-nzm5gw2g/CertEnroll/CA_ROOT.crl                             
                                                                                
  Associated Pki Realm : abc                                                   
                                                                                
Total Number: 1                                              
Table 14-107  Description of the display pki certificate command output

Item

Description

Status

Certificate status.

Version

Version number of the certificate.

Serial Number

Serial number of the certificate.

Signature Algorithm

Signature algorithm of the certificate.

Issuer

Certificate issuer.

Validity

Certificate's validity period.

Subject

Subject of the certificate.

Subject Public Key Info

Public key of the certificate.

Public Key Algorithm

Public key algorithm.

RSA Public Key

RSA public key information.

Key Usage

Usage of the key.

Subject Key Identifier

Key identifier of the user.

Authority Key Identifier

Key identifier of the organization that issues the key.

CRL Distribution Point

CRL distributor information.

Associated Pki Realm

PKI domain associated with the certificate.

display pki certificate enroll-status

Function

Using the display pki certificate enroll-status command, you can view the certificate enrollment status.

Format

display pki certificate enroll-status pki-realm-name

Parameters

Parameter

Description

Value

pki-realm-name

Specifies the PKI domain name of a certificate to be checked.

The PKI domain name must already exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display pki certificate enroll-status command displays the certificate enrollment status.

Example

# Display the certificate enrollment status.

<Huawei> display pki certificate enroll-status abc
 The enroll status of certificate is successful.

display pki credential-storage-path

Function

Using the display pki credential-storage-path command, you can view the default path where a PKI certificate is stored.

Format

display pki credential-storage-path

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display pki credential-storage-path command displays the default path where a PKI certificate is stored.

Example

# Display the default path where a PKI certificate is stored.

<Huawei> display pki credential-storage-path
 The pki credential-storage-path is flash:/ .

display pki crl

Function

Using the display pki crl command, you can view information about the buffered CRL.

Format

display pki crl pki-realm-name

Parameters

Parameter

Description

Value

pki-realm-name

Specifies the name of the PKI domain associated with the CRL.

The PKI domain name must already exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display pki crl command displays information about the buffered CRL.

Example

# Display information about the CRL associated with the PKI domain abc.

<Huawei> display pki crl abc
The CRL in cache:
 Version 2
 Signature Algorithm: SHA1WITHRSA
 Issuer Name:
    CN=CA_ROOT
 Last Update: 2011.07.29  08:33:26(GMT)
 Next Update: 2011.08.05  20:53:26(GMT)
 CRL extensions:
     CRL Number: 0x01e4
     Authority Key Identifier :
     ec0459f3 9787ffc7 ea837013 99589f6e e776b8a1
 Revoked Certificates:
 Serial Number: 4e 68 2c de 00 00 00 00 01 32
      Revocation Date: 2011.07.29  08:43:21(GMT)
      CRL entry extensions:
        CRL Reason Code:
        Private key Compromise.
 Serial Number: 1e 7c a1 b7 00 00 00 00 00 36
      Revocation Date: 2011.07.20  01:21:05(GMT)
      CRL entry extensions:
        CRL Reason Code:
        Private key Compromise.
Total Number: 2 
Table 14-108  Description of the display pki crl command output

Item

Description

Version

CRL version number.

Signature Algorithm

Signature algorithm used in the CRL.

Issuer Name

CA that issues the CRL.

Last Update

Last time the CRL has been updated.

Next Update

Next time the CRL will be updated.

CRL extensions

CRL extended attribute.

CRL Number

CRL ID.

Authority Key Identifier

Identifier of the CA that issues an invalid certificate.

Revoked Certificates

Certificate that is revoked.

Serial Number

Serial number of the revoked certificate.

Revocation Date

Date when the certificate was revoked.

CRL entry extensions

Content of the CRL extended attribute.

CRL Reason Code

Reason why the certificate was revoked.

display pki peer-certificate

Function

The display pki peer-certificate command displays the imported digital certificates of the remote device.

Format

display pki peer-certificate { name peer-name | all }

Parameters

Parameter

Description

Value

name peer-name

Displays detailed information about a specified imported digital certificate. peer-name specifies the name of the digital certificate.

The value is a string of 1 to 15 case-insensitive characters without spaces.

all

Displays brief information about all digital certificates of the remote device.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

To view brief information about all digital certificates of the remote device or detailed information about a specified imported digital certificate, run the display pki peer-certificate command.

Prerequisites

The pki import-certificate peer command has been executed to import digital certificates of the remote device.

Example

# Display brief information about all digital certificates of the remote device.

<Huawei> display pki peer-certificate all
  Peer certificate name :abcd
  Serial Number:
    12 19 3c d3 00 00 00 00 04 9a
  Subject:
    CN=a

Total Number: 1

# Display detailed information about the digital certificate abcd of the remote device.

<Huawei> display pki peer-certificate name abcd
Certificate
  Status : Unavailable
  Version: 3
  Serial Number:
    12 19 3c d3 00 00 00 00 04 9a
  Signature Algorithm: SHA1WITHRSA
  Issuer:
    CN=CA_ROOT
  Validity
    Not Before: 2013-02-19 13:00:22 GMT
    Not After : 2014-02-19 13:10:22 GMT
  Subject:
    CN=a
  Subject Public Key Info:
    Public Key Algorithm : RSA
    RSA Public Key
           Modulus: ( 512 bit )
             b98b4765a999ed58  b263746556d108bb
             1d8f4eed72a24aef  d8453d53dbc8ebdf
             539e5fc796466514  1aab72e9a271c87a
             f0510ccc39bb1475  7df1bc882ca72ee9
           Exponent: 0x010001
  Key Usage: Not Set
  Subject Key Identifier:
    e25b8a035801c8e3  14bc185bf9bd0068  5bd1904e
  Authority Key Identifier:
    cebaca39c7ad6acb  8517d08a8e28020b  52d4d92b
  CRL Distribution Point:
  URL=http://10.136.55.76:8080/CertEnroll/CA_ROOT.crl

  Peer name: abcd

Table 14-109  Description of the display pki peer-certificate command output

Item

Description

Peer certificate name

Name of the digital certificate of the remote device.

Serial Number

Serial number of the certificate

Subject

Subject of the certificate.

Status

Certificate status.

Version

Version number of the certificate.

Signature Algorithm

-

Issuer

Certificate issuer.

Validity

Certificate's validity period.

Subject Public Key Info

Public key of the certificate.

Public Key Algorithm

-

RSA Public Key

Information about the RSA public key.

Key Usage

-

Subject Key Identifier

Key identifier of the user.

Authority Key Identifier

Key identifier of the CA.

CRL Distribution Point

Information about the CRL distribution point.

Peer name

Name of the digital certificate of the remote device.

enrollment-request specific

Function

The enrollment-request specific command configures the device to use a certificate request packet of the specific format to apply for a certificate from the CA server.

The undo enrollment-request specific command restores the default setting.

By default, the device uses a certificate request packet of the standard format to apply for a certificate from the CA server.

Format

enrollment-request specific

undo enrollment-request specific

Parameters

None

Views

PKI domain view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario
You need to configure this command to implement communication between the device and the CA server when the CA server has the following requirements:
  • The unstructured address and unstructured name of the certificate request packet do not carry the SET identifier.
  • The device uses the private key of the applied certificate to sign the certificate request packet.
Precautions

When the CA server has the preceding requirements, the RSA key length of certificates specified by the rsa-key-size command cannot be longer than 2048 bits.

If the RSA key length of certificates is longer than 2048 bits, the device will use the private key of a self-signed certificate to sign the certificate request packet regardless of whether the enrollment-request specific command is configured.

Example

# Configure the device to use a certificate request packet of the specific format to apply for a certificate from the CA server.

<Huawei> system-view
[Huawei] pki realm abc
[Huawei-pki-realm-abc] enrollment-request specific

enrollment self-signed

Function

The enrollment self-signed command configures self-signed certificate obtaining in the PKI domain.

The undo enrollment self-signed command restores the default certificate obtaining method.

By default, the certificate in a PKI domain, except the default PKI domain, is obtained in SCEP mode.

Format

enrollment self-signed

undo enrollment self-signed

Parameters

None

Views

PKI domain view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The enrollment self-signed command configures self-signed certificate obtaining in the PKI domain. The device can use the self-signed certificate obtained from the PKI domain default to support default HTTPS functions.

The device does not support lifecycle management for self-signed certificates. For example, self-signed certificates cannot be registered, updated, or revoked on the device. To ensure security of the device and certificates, it is recommended the user's certificate be used.

Precautions

To configure self-signed certificate obtaining, delete the certificate obtained in SCEP mode in the PKI domain.

By default, the certificate in the PKI domain default is obtained in self-signed mode.

Example

# Configure self-signed certificate obtaining in the PKI domain abc.

<Huawei> system-view
[Huawei] pki realm abc
[Huawei-pki-realm-abc] enrollment self-signed

enrollment-url

Function

Using the enrollment-url command, you can configure the URL of the certificate enrollment server.

Using the undo enrollment-url command, you can delete the URL of the certificate enrollment server.

By default, the URL of the certificate enrollment server is not configured.

Format

enrollment-url url [ interval minutes ] [ times count ] [ ra ]

undo enrollment-url

Parameters

Parameter

Description

Value

url

Specifies the URL of the certificate enrollment server.

The URL is in the format of http://server_location/ca_script_location. server_location can use only the IP address format and ca_script_location is the path where CA's application script is located. For example, http://10.137.145.158:8080/certsrv/mscep/mscep.dll.

The value is a string starting with http:// and consisting of 1 to 127 case-sensitive characters without spaces.

interval minutes

Specifies the interval between twice certificate enrollment status query.

The value is an integer that ranges from 1 to 1440, in minutes. The default value is 1.

times count

Specifies the maximum number of certificate enrollment status query times.

The value is an integer that ranges from 1 to 100. The default value is 100.

ra

Whether the certificate is registered by a registration authority (RA).

-

Views

PKI domain view

Default Level

2: Configuration level

Usage Guidelines

Before an entity applies to the certificate enrollment server for a certificate or downloads a certificate from the server, the URL of the server must be specified. (Entities communicate with CAs using the SCEP protocol.)

Example

# Create a PKI domain abc and configure the URL of the certificate enrollment server.

<Huawei> system-view
[Huawei] pki realm abc
[Huawei-pki-realm-abc] enrollment-url http://10.137.145.158:8080/certsrv/mscep/mscep.dll ra

entity

Function

Using the entity command, you can specify a PKI entity.

Using the undo entity command, you can delete the specified PKI entity.

By default, no PKI entity is specified on the device.

Format

entity entity-name

undo entity

Parameters

Parameter

Description

Value

entity-name

Specifies the name of a PKI entity.

The value is a string of 1 to 15 case-sensitive characters without spaces.

Views

PKI domain view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When an entity requests the local certificate in the PKI domain, the device encapsulates the configuration of the specified PKI entity into the certificate request.

Prerequisites

The specified PKI entity has been configured by using the pki entity command.

Precautions

A PKI domain can be bound to only one PKI entity.

Example

# Bind the PKI entity a to the PKI domain abc.

<Huawei> system-view
[Huawei] pki realm abc
[Huawei-pki-realm-abc] entity a

fingerprint

Function

The fingerprint command configures the CA certificate fingerprint used in CA certificate authentication.

The undo fingerprint command deletes the configured CA certificate fingerprint used in CA certificate authentication.

By default, no CA certificate fingerprint is configured on the device.

Format

fingerprint { md5 | sha1 | sha2 } fingerprint

undo fingerprint

Parameters

Parameter

Description

Value

md5

Indicates the Message Digest 5 (MD5) algorithm.

-

sha1

Indicates the secure hash algorithm 1 (SHA1)

-

sha2

Indicates the secure hash algorithm 2 (SHA2)

-

fingerprint

Specifies the CA certificate fingerprint.

The value is a case-insensitive hexadecimal character string.
  • If MD5 is used, the fingerprint must be 32 characters (16 bytes).
  • If SHA1 is used, the fingerprint must be 40 characters (20 bytes).

Views

PKI domain view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When obtaining a CA certificate, the device uses MD5, SHA1 or SHA2 to calculate the CA certificate fingerprint and compares the CA certificate fingerprint with the configured fingerprint. If the two values are the same, it receives the CA certificate. When verifying a certificate, the device uses the public key of the CA certificate to authenticate the digital signature. If the digital signature can be decrypted, the certificate is verified.

Precautions

You can configure either MD5, SHA1 or SHA2 to calculate the CA certificate fingerprint. If you run the fingerprint command multiple times in the same PKI domain view, only the latest configuration takes effect.

NOTE:

Calculating a CA certificate fingerprint using MD5 or SHA1 has security risks.

Example

# Configure the CA certificate fingerprint for the PKI domain abc.

<Huawei> system-view
[Huawei] pki realm abc
[Huawei-pki-realm-abc] fingerprint sha2 7A34D94624B1C1BCBF6D763C4A67035D5B578EAF7A34D94624B1C1BCBF6D763C
Related Topics

fqdn

Function

Using the fqdn command, you can configure a Fully Qualified Domain Name (FQDN) for a PKI entity.

Using the undo fqdn command, you can delete the configured FQDN.

By default, no FQDN is configured for a PKI entity on the device.

Format

fqdn fqdn-name

undo fqdn

Parameters

Parameter

Description

Value

fqdn-name

Specifies the FQDN of a PKI entity.

The value is a string of 1 to 255 case-sensitive characters without spaces.

Views

PKI entity view

Default Level

2: Configuration level

Usage Guidelines

The fqdn-name command configures a PKI entity's FQDN.

Example

# Configure the FQDN pki.domain-name.com for the PKI entity ra.

<Huawei> system-view
[Huawei] pki entity ra
[Huawei-pki-entity-ra] fqdn pki.domain-name.com
Related Topics

ip-address (PKI entity view)

Function

The ip-address command configures an IP address for a PKI entity.

The undo ip-address command restores the default setting.

By default, no IP address is configured for a PKI entity.

Format

ip-address { ip-address | interface-type interface-number }

undo ip-address

Parameters

Parameter

Description

Value

ip-address

Specifies the IP address of a PKI entity.

The value is in dotted decimal notation.

interface-type interface-number

Specifies an interface IP address of a PKI entity.
  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

Views

PKI entity view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The parameters of an entity include the identity information of the entity. The CA identifies a certificate applicant based on identity information provided by an entity. To facilitate applicant identification, configure an IP address for the PKI entity, which is used as an alias of the entity.

After an IP address is configured for a PKI entity, the certificate request packet sent by the device to the CA server will carry this IP address. After receiving the certificate request packet, the CA server verifies the packet. If the packet is valid, the CA server generates a digital certificate carrying the device IP address.

Precautions

If no IP address is specified for an interface, the digital certificate will not contain the device IP address.

Example

# Set the IP address for the PKI entity to 10.12.12.12.

<Huawei> system-view
[Huawei] pki entity ra
[Huawei-pki-entity-ra] ip-address 10.12.12.12

# Set the IP address of the PKI entity to the IP address of GigabitEthernet1/0/0.

<Huawei> system-view
[Huawei] pki entity ra
[Huawei-pki-entity-ra] ip-address gigabitethernet 1/0/0
Related Topics

ldap-server-template

Function

The ldap-server-template command creates an LDAP server template and displays the LDAP server template view, or displays the view of an existing LDAP server template.

The undo ldap-server-template command deletes an LDAP server template.

By default, no LDAP server template exists on the device.

Format

ldap-server-template template-name

undo ldap-server-template template-name

Parameters

Parameter

Description

Value

template-name

Specifies the name of an LDAP server template.

The value is a string of 1 to 31 case-sensitive characters without spaces.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An LDAP server stores the CRLs issued by CA and provides a directory for browsing the CRLs. The device needs to access the LDAP server to obtain CRL information.

The device can set up a connection with the LDAP server only after an LDAP server template is created and the connection parameters, such as IP address and port number of the server, are set in the template.

Configuration Notes

A maximum of 32 LDAP server templates can be configured on the device; however, only the first LDAP template can take effect.

Example

# Create an LDAP server template named huawei and enter the LDAP server template view.

<Huawei> system-view
[Huawei] ldap-server-template huawei
[Huawei-ldap-template-huawei] 

locality

Function

Using the locality command, you can configure a geographic area for a PKI entity.

Using the undo locality command, you can delete the configured geographic area of a PKI entity.

By default, no geographic area is configured for a PKI entity on the device.

Format

locality locality-name

undo locality

Parameters

Parameter

Description

Value

locality-name

Specifies a geographic area for a PKI entity.

The value is a string of 1 to 31 case-sensitive characters.

The characters can be uppercase letters, lowercase letters, numerals, spaces, and special characters including ' = ( ) + . - / : .

Views

PKI entity view

Default Level

2: Configuration level

Usage Guidelines

The locality command configures a geographic area for a PKI entity.

Example

# Configure the geographic area Beijing for the PKI entity ra.

<Huawei> system-view
[Huawei] pki entity ra
[Huawei-pki-entity-ra] locality Beijing
Related Topics

non-exportable

Function

The non-exportable command prohibits a user from exporting the private key of a local certificate.

The undo non-exportable command allows a user to export the private key of a local certificate.

By default, a user is allowed to export the private key of a local certificate.

Format

non-exportable

undo non-exportable

Parameters

None

Views

PKI domain view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After obtaining a local certificate, you need to import the certificate to the device. Before importing the certificate, specify whether the private key of an imported certificate can be exported. Generally, a user needs to export the certificate and private key simultaneously only when the user backs up a local certificate. In most scenarios, the user only needs to export the certificate to obtain the public key. The non-exportable command prohibits a user from exporting the private key of a local certificate. This prevents private key disclosure because unauthorized users are prohibited from exporting the private key.

Precautions

  • If self-signed certificate obtaining is specified in a PKI domain, such as the PKI domain default, the private key of certificate cannot be exported. You cannot modify this configuration.
  • If this command is configured before a certificate is imported, this command takes effect. If private keys already exist in a domain before this command is configured, it does not take effect. In this case, you need to delete the existing private keys and certificates from the domain and import them again. Therefore, you are advised to specify whether private keys of imported certificates can be exported before importing certificates.

Example

# Prohibit a user from exporting the private key of the local certificate in the PKI domain abc.

<Huawei> system-view
[Huawei] pki realm abc
[Huawei-pki-realm-abc] non-exportable

ocsp-url

Function

Using the ocsp-url command, you can configure the Uniform Resource Locator (URL) of the Online Certificate Status Protocol (OCSP) server. This URL overrides the OCSP server's address in the certificate.

Using the undo ocsp-url command, you can delete the configured URL of the OCSP server.

By default, no OCSP URL is configured on the device.

Format

ocsp-url ocsp-url

undo ocsp-url

Parameters

Parameter

Description

Value

ocsp-url

Specifies the OCSP server's URL.

The value is a string starting with http:// and consisting of 1 to 127 case-sensitive characters without spaces.

Views

PKI domain view

Default Level

2: Configuration level

Usage Guidelines

When an end entity verifies a peer certificate, it checks the status of the peer certificate. For example, the end entity checks whether the peer certificate expires and whether the certificate is in a Certificate Revocation List (CRL). OCSP checks validity of certificates. If a CRL Distribution Point (CDP) is not specified in a certificate and the CRL's URL is not configured in a PKI domain, an entity can use OCSP to check validity of the certificate.

Example

# Configure the OCSP server's URL in the PKI domain abc.

<Huawei> system-view
[Huawei] pki realm abc
[Huawei-pki-realm-abc] ocsp-url http://10.137.145.121:18081/ejbca/publicweb/status/ocsp
Related Topics

organization

Function

Using the organization command, you can configure a PKI entity's organization name.

Using the undo organization command, you can delete the configured PKI entity's organization name.

By default, no PKI entity's organization name is configured on the device.

Format

organization organization-name

undo organization

Parameters

Parameter

Description

Value

organization-name

Specifies a PKI entity's organization name.

The value is a string of 1 to 31 case-sensitive characters.

The characters can be uppercase letters, lowercase letters, numerals, spaces, and special characters including ' = ( ) + . - / : .

Views

PKI entity view

Default Level

2: Configuration level

Usage Guidelines

The organization command configures a PKI entity's organization name.

Example

# Configure the organization name huawei for the PKI entity ra.

<Huawei> system-view
[Huawei] pki entity ra
[Huawei-pki-entity-ra] organization huawei
Related Topics

organization-unit

Function

The organization-unit command configures the department name for a PKI entity.

The undo organization-unit command restores the default setting.

By default, no department name is configured for a PKI entity.

Format

organization-unit organization-unit-name

undo organization-unit

Parameters

Parameter

Description

Value

organization-unit-name

Specifies the department name for a PKI entity.

The department name is a string of 1 to 31 case-sensitive characters. A maximum of six departments can be configured. Names of departments are separated by commas (,). The total length of all department names ranges from 1 to 191.

The characters can be uppercase letters, lowercase letters, numerals, spaces, and special characters including ' = ( ) + . - / : .

Views

PKI entity view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The parameters of an entity include the identity information of the entity. The CA identifies a certificate applicant based on identity information provided by an entity. To identify the entities of different departments in an organization, configure the department names for the PKI entities.

After the department name is configured for a PKI entity, the certificate request packet sent by the device to the CA server will carry this name. After receiving the certificate request packet, the CA server verifies the packet. If the packet is valid, the CA server generates a digital certificate carrying the department name of the PKI entity.

Precautions

If a PKI entity may have different levels of departments, for example, a PKI entity belongs to a subordinate department of the sales department, configure multiple departments separated by commas.

Example

# Set the department of a PKI entity to Group1, Sale.

<Huawei> system-view
[Huawei] pki entity ra
[Huawei-pki-entity-ra] organization-unit Group1,Sale
Related Topics

password

Function

Using the password command, you can configure a certificate revocation password.

Using the undo password command, you can delete the configured certificate revocation password.

By default, no certificate revocation password is configured on the device.

Format

password cipher password

undo password

Parameters

Parameter

Description

Value

cipher

Indicates the password in cipher text.

-

password

Specifies the certificate revocation password.

The value is a string of case-sensitive characters. It cannot contain question marks (?) or spaces.The password is in plain text containing 1 to 64 characters or in cipher text containing 31 to 56 characters.

NOTE:
To improve the security, it is recommended that the certificate revocation password contains at least two types of lowercase letters, uppercase letters, digits, and special characters, and contains at least 6 characters.

Views

PKI domain view

Default Level

2: Configuration level

Usage Guidelines

The password command configures a certificate revocation password in a PKI domain. This prevents users from incorrectly revoking certificates and improves operation security.

Example

# Configure a PKI domain abc, and set the certificate revocation password to huawei@123.

<Huawei> system-view
[Huawei] pki realm abc
[Huawei-pki-realm-abc] password cipher huawei@123
Related Topics

pki create-certificate

Function

Using the pki create-certificate command, you can create a self-signed certificate or local certificate.

Format

pki create-certificate [ self-signed ] filename file-name

Parameters

Parameter

Description

Value

self-signed

Specifies a self-signed certificate. If this parameter is not specified, the pki create-certificate command creates a local certificate.

A self-signed certificate is issued by a PKI device. In a self-signed certificate, the certificate issuer and subject of the certificate are identical.

A device certificate is issued by a PKI entity with a certificate authority (CA) signature.

-

filename file-name

Specifies the name of a certificate file.

The value is a string of 1 to 63 case-insensitive characters without spaces.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After the self-signed certificate or local certificate is generated by PKI device, the certificate file is saved in the storage device. You can export the certificate for other devices to use, implementing simple certificate issue function.

When you run the pki create-certificate command, the system asks you to enter certificate information, for example, PKI entity parameters, certificate file name and storage path, and RSA key length.

The device does not provide lifecycle management for self-signed certificates. For example, self-signed certificates cannot be updated, or revoked on the device. To ensure security of the device and certificates, it is recommended the user's certificate be used.

Example

# Create a self-signed certificate huawei.

<Huawei> system-view
[Huawei] pki create-certificate self-signed filename huawei

# Create a local certificate local.

<Huawei> system-view
[Huawei] pki create-certificate filename local

pki credential-storage

Function

Using the pki credential-storage command, you can configure the default path and directory where the CA certificate, local certificate, and private key are stored.

By default, the CA certificate, local certificate, and private key are stored in flash:/.

Format

pki credential-storage local-dir

Parameters

Parameter

Description

Value

local-dir

Specifies the default path where the CA certificate, device certificate, and private key in a PKI domain are stored.

The value is a string of 1 to 31 characters in the format of {drive}[folder-name]. drive indicates the storage medium supported by the device, and folder-name specifies the file name in the storage medium.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

The pki credential-storage command configures the default path and directory where the CA certificate, local certificate, and private key are stored.

Example

# Save the certificates on the flash:/.

<Huawei> system-view
[Huawei] pki credential-storage flash:/

pki delete-certificate

Function

Using the pki delete-certificate command, you can delete the locally saved certificate.

Format

pki delete-certificate { ca | local | ocsp } pki-realm-name

Parameters

Parameter

Description

Value

ca

Deletes a CA certificate.

-

local

Deletes a local certificate.

-

ocsp

Deletes an OCSP certificate.

-

pki-realm-name

Specifies the name of the PKI domain that the certificate belongs to.

The PKI domain name must already exist.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

If a certificate expires or you want to request a new certificate, delete the current CA certificate, local certificate, or OCSP certificate.

Example

# Delete the local certificate in the PKI domain abc.

<Huawei> system-view
[Huawei] pki delete-certificate local abc

pki enroll-certificate

Function

The pki enroll-certificate command configures manual certificate enrollment.

Format

pki enroll-certificate pki-realm-name [ pkcs10 [ filename filename ] ]

Parameters

Parameter

Description

Value

pki-realm-name

Specifies the name of a PKI domain.

The PKI domain name must already exist.

pkcs10

Uses the PKCS#10 format to display the local certificate request information.

-

filename filename

Saves the certificate request information in a specified file. The certificate request information is saved in the file in PKCS#10 format and is sent to the CA in outband mode.

The value is a string of 1 to 63 case-insensitive characters without spaces.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A certificate can be applied for manually or automatically. Using the pki enroll-certificate command, you can configure the manual certificate application function.

Manual certificate application can be online or offline. In online application, entities apply to CAs for certificates using the SCEP protocol. In offline application, applicants can submit applications to CAs in outband mode.

Precautions

  • If pkcs10 is specified, an entity applies to a CA for a certificate in offline mode. The entity saves the certificate request information in a file in PKCS#10 format and sends the file to the CA in outband mode.

  • If pkcs10 is not specified, an entity applies to a CA for a certificate in online mode.

  • After the enrollment self-signed command is used in the PKI domain, you cannot use the pki enroll-certificate command to configure manual certificate enrollment.

Example

# Enroll a certificate for the PKI domain abc.

<Huawei> system-view
[Huawei] pki enroll-certificate abc

pki entity

Function

Using the pki entity command, you can configure a Public Key Infrastructure (PKI) entity and enter the PKI entity view.

Using the undo pki entity command, you can delete a PKI entity.

By default, no PKI entity is configured on the device.

Format

pki entity entity-name

undo pki entity entity-name

Parameters

Parameter

Description

Value

entity-name

Specifies the name of a PKI entity.

The value is a string of 1 to 15 case-sensitive characters without spaces.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

A PKI entity is a user that applies for or has obtained a certificate. To use PKI features, configure a PKI entity.

Example

# Configure a PKI entity ra.

<Huawei> system-view
[Huawei] pki entity ra
Related Topics

pki export-certificate

Function

The pki export-certificate command exports a certificate to a file.

Format

pki export-certificate { ca | local | ocsp } pki-realm-name { der | pkcs12 | pem }

Parameters

Parameter

Description

Value

ca

Exports a CA certificate.

-

local

Exports a local certificate.

-

ocsp

Exports the Online Certificate Status Protocol (OCSP) server's certificate.

-

pki-realm-name

Specifies the PKI domain name of a certificate.

The PKI domain name must already exist.

der

Exports a certificate in DER format.

-

pkcs12

Exports a certificate in P12 format.

-

pem

Exports a certificate in PEM format.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To copy a certificate to another device, run the pki export-certificate command. This command can export the CA certificate, local certificate, or private key.

The device can export a certificate in PEM, PFX (PKCS#12, P12 for short), or DER format.

Precautions
  • When you export the local certificate, the system asks you to enter the certificate file name. If you do not need to export the private key, press Enter.
  • When you export the private key, the system asks you to enter the private key file name. If the private key file name and the certificate file name are the same, the private key and certificate are stored in the same file. If the private key file name and the certificate file name are different, the private key and certificate are stored in different files.
  • When you export the private key, the system asks you to enter the private key file format and set the password. The password will be used when you run the pki import-certificate command to import this private key.
  • A simple password may bring security risks. The password must consists of two types of characters, including uppercase letters, lowercase letters, numerals, and special characters.
  • After the enrollment self-signed command is used in the PKI domain, you cannot use the pki export-certificate command to export certificates to files.

Example

# Export the local certificate in the PKI domain abc.

<Huawei> system-view
[Huawei] pki export-certificate local abc der  
 Please enter the name of certificate file <length 1-127>: aa  
 If you only export the certificate, do not export the private key.   
 You can directly enter empty of private key file.
 Please enter the name of private key file <length 1-127>: ab     
 Please enter the type of private key file(pem , p12): pem    
 The current password is required, the password must consist of at least two types of characters, including lowercase letters, upper case letters, numerals and special characters.
 Please enter your password <length 6-31>: ****** 
 Successfully exported the certificate.      

pki get-certificate

Function

Using the pki get-certificate command, you can obtain a CA certificate or local certificate.

Format

pki get-certificate { ca | local } pki-realm-name

Parameters

Parameter

Description

Value

ca

Obtains a CA certificate.

-

local

Obtains a local certificate.

-

pki-realm-name

Specifies the PKI domain name of a certificate.

The PKI domain name must already exist.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Using the pki get-certificate command, an entity can query and download an issued certificate from a CA server. Entities can download their own certificates, CA certificates, or certificates of other entities.

The purposes of obtaining a certificate are as follows:
  • Stores certificates on a local computer to improve certificate query efficiency and reduce the times of querying the PKI certificate repository.
  • Prepares for certificate authentication.

Example

# Obtain the CA certificate in the PKI domain abc.

<Huawei> system-view
[Huawei] pki get-certificate ca abc

pki get-crl

Function

Using the pki get-crl command, you can configure the device to download a certificate revocation list (CRL) from a certificate server.

Format

pki get-crl pki-realm-name

Parameters

Parameter

Description

Value

pki-realm-name

Specifies the PKI domain name of the CRL.

The PKI domain name must already exist.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

If the CRL on the device is about to expire, run the pki get-crl command to configure the device to download a CRL to replace the old CRL.

Example

# Download the CRL for the PKI domain abc.

<Huawei> system-view
[Huawei] pki get-crl abc
Related Topics

pki import-certificate

Function

The pki import-certificate command imports an external certificate to the device through file transfer mode.

Format

pki import-certificate { ca | local | ocsp } pki-realm-name { der | pkcs12 | pem }

Parameters

Parameter

Description

Value

ca

Imports a CA certificate.

-

local

Imports a local certificate.

-

ocsp

Imports the Online Certificate Status Protocol (OCSP) server's certificate.

-

pki-realm-name

Specifies the PKI domain name of the imported certificate.

The PKI domain name must already exist.

der

Imports a certificate in DER format.

-

pkcs12

Imports a certificate in P12 format.

-

pem

Imports a certificate in PEM format.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To use an external certificate, run the pki import-certificate command to copy it to a storage device in outband mode and import it to the device.

Multiple certificates can be imported on the device, including the CA certificate, local certificate, and private key. The imported certificate and private key can use the PEM, PFX (PKCS#12, P12 for short), or DER format.

Prerequisites

The external certificate has been uploaded to the device through FTP or TFTP.

Precautions

When you import the local certificate, the system asks you to enter the certificate file name, private key file name and format, and password. The password must be the same as that configured when you export the certificate using the pki export-certificate command.

After the enrollment self-signed command is used in the PKI domain, you cannot use the pki import-certificate command to import external certificates to the device.

You can import a digital certificate generated using the RSA or SM2 algorithm to the deive.

Example

# Import a local certificate to the PKI domain abc through file transfer mode.

<Huawei> system-view
[Huawei] pki realm abc 
[Huawei-pki-realm-abc] quit
[Huawei] pki import-certificate local abc der
 Info: The local certificate has existed.                                        
 The old local certificate will be covered with the new one. Are you sure[Y/N]: 
y                                                                               
 Please enter the name of certificate file <length 1-127>:abc
  You are importing a local certificate.                                         
  You can directly enter "Enter" only when the local certificate is obtained by p
 kcs10 message.
 Please enter the name of private key file <length 1-127>:abd	 
 Please enter the type of private key file(pem , p12 , der): pem                      
 The current password is required, please enter your password <length 1-31>:****** 
 Successfully imported the certificate.

pki import-certificate peer

Function

The pki import-certificate peer command imports a digital certificate of the remote device.

Format

pki import-certificate peer peer-name { der | pem | pkcs12 } file

pki import-certificate peer peer-name pem terminal

Parameters

Parameter

Description

Value

peer-name

Imports a specified digital certificate of the remote device. peer-name specifies the name of the digital certificate.

The value is a string of 1 to 15 case-insensitive characters without spaces.

der

Imports a digital certificate of the remote device in DER format.

-

pem

Imports a digital certificate of the remote device in PEM format.

-

pkcs12

Imports a digital certificate of the remote device in P12 format.

-

terminal

Imports a digital certificate of the remote device in terminal mode.

-

file

Imports a digital certificate of the remote device in file mode.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After IPSec is deployed on a network where digital envelop authentication is used, configure the public key of the remote device. The public key can be obtained from the public and private key management module or digital certificate of the remote device.

The device supports the following modes in which the digital certificate of the remote device is imported:
  • terminal: After the certificate file in PEM format is opened through the text tool, the digital certificate content is copied and pasted to the device.
  • file: The digital certificate of the remote device is imported through the certificate file. The device supports the certificate file in PEM and PFX (PKCS#12, that is, P12) formats.

Prerequisites

The certificate file of the device has been uploaded to the device in FTP/TFTP mode if the file mode is used.

Precautions

When you enter the certificate file name, run the dir (user view) command to view the path where the certificate file is stored.

You can import a peer digital certificate generated using the RSA or SM2 algorithm to the deive.

Example

# Import the digital certificate aa.pem of the remote device in file mode.

<Huawei> system-view
[Huawei] pki import-certificate peer abcd pem file
 Please enter the name of certificate file <length 1-127>:flash:/aa.pem
 Successfully imported the peer certificate.

# Import the digital certificate aa.pem of the remote device in terminal mode.

<Huawei> system-view
[Huawei] pki import-certificate peer h3 pem terminal
Enter PEM-formatted peer certificate.
End with a blank line or "quit" on a line by itself.
-----BEGIN CERTIFICATE-----
MIIDvDCCAqSgAwIBAgIKEhk80wAAAAAEmjANBgkqhkiG9w0BAQUFADASMRAwDgYD
VQQDDAdDQV9ST09UMB4XDTEzMDIxOTEzMDAyMloXDTE0MDIxOTEzMTAyMlowDDEK
MAgGA1UEAxMBYTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC5i0dlqZntWLJjdGVW
0Qi7HY9O7XKiSu/YRT1T28jr31OeX8eWRmUUGqty6aJxyHrwUQzMObsUdX3xvIgs
py7pAgMBAAGjggHgMIIB3DAdBgNVHQ4EFgQU4luKA1gByOMUvBhb+b0AaFvRkE4w
HwYDVR0jBBgwFoAUzrrKOcetasuFF9CKjigCC1LU2SswQAYDVR0fBDkwNzA1oDOg
MYYvaHR0cDovLzEwLjEzNi41NS43Njo4MDgwL0NlcnRFbnJvbGwvQ0FfUk9PVC5j
cmwwggEVBggrBgEFBQcBAQSCAQcwggEDMIGjBggrBgEFBQcwAoaBlmxkYXA6Ly8v
Q049Q0FfUk9PVCxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049
U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1lc2FwLERDPWNvbT9jQUNlcnRp
ZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTBb
BggrBgEFBQcwAoZPaHR0cDovL2h1YXdlaS1uem01Z3cyZy5lc2FwLmNvbS9DZXJ0
RW5yb2xsL2h1YXdlaS1uem01Z3cyZy5lc2FwLmNvbV9DQV9ST09ULmNydDA/Bgkr
BgEEAYI3FAIEMh4wAEkAUABTAEUAQwBJAG4AdABlAHIAbQBlAGQAaQBhAHQAZQBP
AGYAZgBsAGkAbgBlMA0GCSqGSIb3DQEBBQUAA4IBAQC7i3evrt8uDL16KW52I619
aW0NFtkYgq1PUrPNHBr8NAAzNo1HKiAkUrcCdcyrO0z4KqmpT0b7wiEAwbXCZwyx
mSpie3FN58KTKbvssekogi93YewoZjXLXxUEc3fYJpF7olZ0UTML8QQoJLJxWK1c
+JYXDfe3X0u57Ql5vFQhxZuQ93shqlqqb1Hkec64NYsZkFGU5sJh+CRGhUypab2K
78JkuBmrC2vsNEGNQ0NE0RtMSiPNQFJ6LoxdtmJVk0XIPt6xUYLQu3y4CXuXCHuT
F0Coby3t9D42ECog40fh+63+l3OnU9D4Usq2Dujx32x6Nzm7gvkDyUpxZd9vN+a3
-----END CERTIFICATE-----

quit
 Successfully imported the peer certificate. 

pki import-certificate terminal

Function

The pki import-certificate terminal command imports an external certificate to the device through terminal mode.

Format

pki import-certificate name pki-realm-name pem terminal password password-value

Parameters

Parameter

Description

Value

name pki-realm-name

Specifies the PKI domain name of the imported certificate.

The value is an existing PKI domain name.

pem

Imports a certificate in PEM format.

-

terminal

Specifies the terminal import mode.

-

password password-value

Specifies the password in the private key file.

The value is a string of 1 to 31 characters without spaces.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After obtaining an external certificate through outband mode, you need to import the certificate to the device. The imported certificate can be a CA certificate or a local certificate with the private key. To import a certificate with the private key in the PEM format, open the certificate file using a text editor and copy the certificate contents on the terminal screen.

After importing a certificate, run the display current-configuration command to check the configuration file of the imported certificate. You can save and restore the configuration file.

Prerequisites

A PKI domain has been created using the pki realm (System view) command.

Example

# Import a local certificate to the PKI domain abc through terminal mode.

<Huawei> system-view
[Huawei] pki realm abc 
[Huawei-pki-realm-abc] quit
[Huawei] pki import-certificate name abc pem terminal password abc123
Enter PEM-formatted CA certificate.
End with a blank line or "end" on a line by itself.
-----BEGIN CERTIFICATE-----
MIIEPDCCAySgAwIBAgIQPLn9V3dmGr1LguLTIYI8RTANBgkqhkiG9w0BAQUFADBY
MRMwEQYKCZImiZPyLGQBGRYDY29tMRYwFAYKCZImiZPyLGQBGRYGaHVhd2VpMRUw
EwYKCZImiZPyLGQBGRYFY2hpbmExEjAQBgNVBAMTCUNBIHNlcnZlcjAeFw0xMzEw
MTgwMjE4MzNaFw0xODEwMTgwMjI3NTlaMFgxEzARBgoJkiaJk/IsZAEZFgNjb20x
FjAUBgoJkiaJk/IsZAEZFgZodWF3ZWkxFTATBgoJkiaJk/IsZAEZFgVjaGluYTES
MBAGA1UEAxMJQ0Egc2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEArdox+Z5U5T8D2W+dTihLydJ7+bMRF5Z1QDZvX8M9OmL01pTGKSq2LETqRDhT
u3N9L/yuYywylDeFXLsNL5KSYJVyV/VSlJpawARiJ1EzWGke4Gdpqm+zQUpI5pxT
5SCwJKNcpQVPmPRpE1rmU/3czR/YzYHYkjO6sTqLDskOUBerjpMVx0J/y35EXSC/
7oiuXd/iU0W+unv97C4T7rZwpMtrn9RPpQtL95GacP8WlDCJjIopOQd//Q5POeAX
xLzfR87z8ri66UbrU8lU6/ZWlWma6hgIiBBfMLhgUdasDZ+neiNPEFdCZEdVEbm9
Of0X3GZU5XcoD7oNSa2s4diZFQIDAQABo4IBADCB/TATBgkrBgEEAYI3FAIEBh4E
AEMAQTALBgNVHQ8EBAMCAUYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUcLyj
kl6b2uhKC8Cq87bclb768yMwgZYGA1UdHwSBjjCBizCBiKCBhaCBgoY/aHR0cDov
L3owMDEzOTkwMWFiYy5jaGluYS5odWF3ZWkuY29tL0NlcnRFbnJvbGwvQ0ElMjBz
ZXJ2ZXIuY3Jshj9maWxlOi8vXFx6MDAxMzk5MDFhYmMuY2hpbmEuaHVhd2VpLmNv
bVxDZXJ0RW5yb2xsXENBIHNlcnZlci5jcmwwEAYJKwYBBAGCNxUBBAMCAQAwDQYJ
KoZIhvcNAQEFBQADggEBAA2ROwrZ+0fQPs2FqdaoJp3QYA2pgJR8hGQ8n9vskVel
9UG3o7bsgmCPpfNb0k826Iuqur9PL7mQZvYmY+OH9tCC3zbwuJXrrZlfimFd9aH7
0V5MGRNuEkO5xPK2jNwHeg//Rnt7hCOnKiQP0/LBKRiEnXPrOoqtLgHaQsbu7gSs
HFHDoV+V1Hpo+n9Jtl0Eosi9g1gxCIueUOMT8eZC5coFHEIz661tXHcgwePK8lnh
Yfwc0YtJmbSr3gUVTztkrPODMf0msscVq8sZ3ewLfYqUlb85pt0c/GQwxSHYBfIe
JJopiEXZce1aMnwyScKjpyh8fbDOX3n6Uh/VeDCBnoU=
-----END CERTIFICATE-----
end
Enter PEM-formatted encrypted private General Purpose key.
End with "end" on a line by itself
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,F18D190B5CA99826
                                                                
SFvJFyZUJbWlXOQh2cg4hh8yWW5fLeWw21rj9xn5P5ylsEtwxr+hZtgM+tGTW3BL
GzCgUkmnL+03EOaZXS4jW7v7lsNqciyvCPbeKGtSpPpGJ8MgVoqDdjAX1uKzPxsN
PcEbkMJd8Ak5o1PGv6fCtFmeFJVvTHGm/lyHtvn6aUy+riEywE4bgYNHc+C7NMHw
dIjICj31h4BAbTfBK4pyqxAL+nn3G5ayyAWlK/KYls3sEHHzScbyKQjuzIffkgNQ
ku/FcEvUvC69yBlp+75HEQG0WbpURfcCOBpLZrllxMpfrLVtMmE9HsrDeV6xG7XW
RbHeciBMjBN9zP0Pm0F0JdJp4I+Xv9CKWJ82KgigSHQTOKRVhgXp2Kryh7j4IVUh
tWOusOQC3/cKEDrhpx1sCHeRtXPA5/y3RZb6jGxx4iwkkK5qv/RN0W+4iNqZf6PO
KRKh6seR7h9F0eHQoTbT1uL5ow2SOSqfZOPnB9+t0qQBUSE4E8ZjsgohQBcTgQ8q
w21iiQZeyMHSrx6kiYsQxc1egxr8I/QV4OCEP9vH7tpu6vdnlc/WHBI7JhOV0u9Z
5sRm1ktOgfiqnpYVg+iB3wJtIVCtJiwvjSkLW0m+KdrrUiT9scPti7y0PReHacs/
fkjsey72T/mxPR24NJOpYYznF+whpwrCd3Io4lfxZDOzvUNtGD3ySbEcTe/PQBKj
TYcUlAn06VvCurYJV9jXqi9qt4tHKtQD0j7ToLTXpvTBYW0BaRULo1OZl9c+49B/
zlJfe3cU0VZpXOVowL5xPL6lvESDKjzQYRzKOBfJGwJs4OcBKGJ8XQ==
-----END RSA PRIVATE KEY-----
end
Enter PEM-formatted General Purpose certificate.
End with a blank line or "end" on a line by itself.
-----BEGIN CERTIFICATE-----
MIIFITCCBAmgAwIBAgIKGmoeqQAAAACZVDANBgkqhkiG9w0BAQUFADBYMRMwEQYK
CZImiZPyLGQBGRYDY29tMRYwFAYKCZImiZPyLGQBGRYGaHVhd2VpMRUwEwYKCZIm
iZPyLGQBGRYFY2hpbmExEjAQBgNVBAMTCUNBIHNlcnZlcjAeFw0xNDAyMTAwNTU0
NTlaFw0xNTAyMTAwNjA0NTlaMAwxCjAIBgNVBAMTAWEwgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBAN5vT5A2Dy7iwTwNeisaWBecRi7SAzHyEer7U5ZzSsA/6xt9
LulqBoV8rMIsNe54flnxQww74QE8CBVkj1UJ5Fsq+S0UtU2fphSJkZMOVM0zmnPb
S6YyWoDOjR6JAKlxAgwYdAoO3iD/7xalIgtXrKQqj+dt7eieTSy5Z8dEWkJxAgMB
AAGjggK7MIICtzAdBgNVHQ4EFgQUOOMbU4dquenYHLpyaSP5cS3vNBgwHwYDVR0j
BBgwFoAUcLyjkl6b2uhKC8Cq87bclb768yMwggFJBgNVHR8EggFAMIIBPDCCATig
ggE0oIIBMIaBq2xkYXA6Ly8vQ049Q0ElMjBzZXJ2ZXIsQ049ejAwMTM5OTAxYWJj
LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxE
Qz1VbmF2YWlsYWJsZUNvbmZpZ0ROP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/
YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludIY/aHR0cDovL3ow
MDEzOTkwMWFiYy5jaGluYS5odWF3ZWkuY29tL0NlcnRFbnJvbGwvQ0ElMjBzZXJ2
ZXIuY3Jshj9maWxlOi8vXFx6MDAxMzk5MDFhYmMuY2hpbmEuaHVhd2VpLmNvbVxD
ZXJ0RW5yb2xsXENBIHNlcnZlci5jcmwwgeYGCCsGAQUFBwEBBIHZMIHWMGkGCCsG
AQUFBzAChl1odHRwOi8vejAwMTM5OTAxYWJjLmNoaW5hLmh1YXdlaS5jb20vQ2Vy
dEVucm9sbC96MDAxMzk5MDFhYmMuY2hpbmEuaHVhd2VpLmNvbV9DQSUyMHNlcnZl
ci5jcnQwaQYIKwYBBQUHMAKGXWZpbGU6Ly9cXHowMDEzOTkwMWFiYy5jaGluYS5o
dWF3ZWkuY29tXENlcnRFbnJvbGxcejAwMTM5OTAxYWJjLmNoaW5hLmh1YXdlaS5j
b21fQ0Egc2VydmVyLmNydDA/BgkrBgEEAYI3FAIEMh4wAEkAUABTAEUAQwBJAG4A
dABlAHIAbQBlAGQAaQBhAHQAZQBPAGYAZgBsAGkAbgBlMA0GCSqGSIb3DQEBBQUA
A4IBAQAQgqIzSVgOi1MOXIMNUREK35g/8zgPZwFw19jZeM5Jc0X7aJoV3PDFeCnA
pvzvKn/H/oB6UCSCX4RVdYhJI17ymSeBZUrq4XKsWOCPykwK34xc4cPpthQ9fcjc
pwHOq+JGWSfNsS9PBdzhxn+BrH4BlndMu3H/95bluf0kFNbIyaZeuqwEmFkrJVxt
6u6PLVqhQyu0LhKUBMDavfi6e5/HEGaGoj18d2uUEYNWQOBcUoEhnnZ/7sCoTyRP
AsrXoUoS94lnX8z/GGK5nV+X6bvxbo6l0qyBtU/9Iax5MwLIXUBhzXUi0q5C5A2C
8KbFCoMv33ecr0ma94LRnn7qnVsr
-----END CERTIFICATE-----
end
 Successfully to import the certificate chain. 

pki realm (System view)

Function

The pki realm command configures a PKI domain.

The undo pki realm command deletes a PKI domain.

By default, the PKI domain default exists on the device. This domain can be modified, but cannot be deleted.

Format

pki realm realm-name

undo pki realm realm-name

Parameters

Parameter

Description

Value

realm-name

Specifies the name of a PKI domain.

The value is a string of 1 to 15 characters without spaces.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A PKI domain is a set of identity information required when a PKI entity enrolls a certificate.

A PKI domain allows other applications, such as Internet Key Exchange (IKE) and SSL VPN, to reference the PKI configuration. When performing certificate authentication, the IKE peer or SSL VPN obtains the CA certificate and local certificate according to the configuration of the PKI domain.

Precautions

A PKI domain configured on a device is unavailable to certificate authorities (CAs) or other devices.

Example

# Configure a PKI domain abc.

<Huawei> system-view
[Huawei] pki realm abc
Related Topics

pki release-certificate peer

Function

The pki release-certificate peer command releases a digital certificate of the remote device.

Format

pki release-certificate peer { name peer-name | all }

Parameters

Parameter

Description

Value

name peer-name

Releases a specified digital certificate of the remote device. peer-name specifies the name of the digital certificate.

The value is a string of 1 to 15 case-insensitive characters without spaces.

all

Releases all digital certificates of the remote device.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If the specified digital certificate of the remote device is not required, run the pki release-certificate peer command to release the digital certificate of the remote device.

Prerequisites

The pki import-certificate peer command has been used to import the digital certificate of the remote device.

Example

# Release the digital certificate huawei of the remote device.

<Huawei> system-view
[Huawei] pki release-certificate peer name huawei
 Successfully release the peer certificate.

pki validate-certificate

Function

Using the pki validate-certificate command, you can configure the device to check validity of the CA certificate or local certificate.

Format

pki validate-certificate { ca | local } pki-realm-name

Parameters

Parameter

Description

Value

ca

Checks validity of the CA certificate.

-

local

Checks validity of the local certificate.

-

pki-realm-name

Specifies the PKI domain name of a certificate to be checked.

The PKI domain name must already exist.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When an end entity verifies a peer certificate, it checks the status of the peer certificate. For example, the end entity checks whether the peer certificate expires and whether the certificate is in a CRL.

Before running the pki validate-certificate command to check validity of the CA certificate or local certificate, run the certificate-check command to set the certificate check method.

Example

# Configure the device to check validity of the local certificate using CRL.

<Huawei> system-view
[Huawei] pki realm abc
[Huawei-pki-realm-abc] certificate-check crl
[Huawei-pki-realm-abc] quit
[Huawei] pki validate-certificate local abc
Related Topics

rsa-key-size

Function

The rsa-key-size command sets the Rivest, Shamir, and Adelman (RSA) key length of certificates.

The undo rsa-key-size command restores the default RSA key length of certificates.

By default, the RSK key length of certificates is 2048 on the device.

Format

rsa-key-size size

undo rsa-key-size

Parameters

Parameter

Description

Value

size

Specifies the RSA key length of certificates.

The value is 512, 1024, or 2048.

Views

PKI domain view

Default Level

2: Configuration level

Usage Guidelines

After the rsa-key-size command sets the RSA key length of certificates, the device generates the RSA key of the specified length when requesting a certificate.

An RSA key pair contains a public key and a private key. When terminal A requests a certificate, the certificate request must contain the public key. After a certificate is granted to host A, host B uses the public key of host A to encrypt data sent to host A. Host A saves the private key and uses it to decrypt data sent from host B or generates a digital signature for data sent to host B.

NOTE:

It is recommended that the RSA key length be set to 2048 or a larger value to improve certificate security.

Example

# Set the RSA key length of certificates to 2048 in the PKI domain abc.

<Huawei> system-view
[Huawei] pki realm abc
[Huawei-pki-realm-abc] rsa-key-size 2048
Related Topics

serial-number

Function

The serial-number command adds the serial number of a device to the PKI entity.

The undo serial-number command restores the default setting.

By default, the serial number of a device is not added to the PKI entity.

Format

serial-number

undo serial-number

Parameters

None

Views

PKI entity view

Default Level

2: Configuration level

Usage Guidelines

The parameters of an entity include the identity information of the entity. The CA identifies a certificate applicant based on identity information provided by an entity. To further identify the applicant, add the serial number of the device to the PKI entity.

After the serial number of the device is added to a PKI entity, the certificate request packet sent by the device to the CA server will carry this serial number. After receiving the certificate request packet, the CA server verifies the packet. If the packet is valid, the CA server generates a digital certificate carrying the device serial number.

Example

# Add the serial number of the device to a PKI entity.

<Huawei> system-view
[Huawei] pki entity ra
[Huawei-pki-entity-ra] serial-number
Related Topics

source interface

Function

The source interface command configures the source interface used in TCP connection setup.

The undo source interface command restores the default source interface used in TCP connection setup.

By default, the device uses the outbound interface as the source interface for TCP connection setup.

Format

source interface interface-type interface-number

undo source interface

Parameters

Parameter

Description

Value

interface-type interface-number

Specifies an interface's IP address as the source IP address for TCP connection setup.
  • interface-type indicates the type of the interface.
  • interface-number indicates the number of the interface.

-

Views

PKI domain view

Default Level

2: Configuration level

Usage Guidelines

The source interface command specifies the source interface for establishing a connection between the device and the Simple Certificate Enrollment Protocol (SCEP) or Online Certificate Status Protocol (OCSP) server.

NOTE:

Ensure that the interface is a Layer 3 interface and has an IP address configured.

Example

# Configure the source interface in the PKI domain abc to set up a TCP connection.

<Huawei> system-view
[Huawei] vlan batch 100
[Huawei] interface vlanif 100
[Huawei-Vlanif100] ip address 10.136.2.25 24
[Huawei-Vlanif100] quit
[Huawei] pki realm abc
[Huawei-pki-realm-abc] source interface vlanif 100
Related Topics

state

Function

Using the state command, you can specify the state or province to which a PKI entity belongs.

Using the undo state command, you can delete the configured state or province.

By default, no state or province is specified for a PKI entity.

Format

state state-name

undo state

Parameters

Parameter

Description

Value

state-name

Specifies a state name or province name for a PKI entity.

The value is a string of 1 to 31 case-sensitive characters.

The characters can be uppercase letters, lowercase letters, numerals, spaces, and special characters including ' = ( ) + . - / : .

Views

PKI entity view

Default Level

2: Configuration level

Usage Guidelines

The state command specifies a state or province to which a PKI entity belongs.

Example

# Specify the province jiangsu for the PKI entity ra.

<Huawei> system-view
[Huawei] pki entity ra
[Huawei-pki-entity-ra] state jiangsu
Related Topics

usage (PKI domain view)

Function

The usage command adds the usage information of the key to the certificate request packet.

The undo usage command deletes the usage information of the key from the certificate request packet.

By default, the certificate request packet does not contain the usage information of the key.

Format

usage { ike | ssl-client | ssl-server } *

undo usage { ike | ssl-client | ssl-server } *

Parameters

Parameter

Description

Value

ike

Specifies the usage of a key as ike. That is, the key is used to set up an IPSec tunnel.

-

ssl-client

Specifies the usage of a key as ssl-client. That is, the key is used by the SSL client to set up an SSL session.

-

ssl-server

Specifies the usage of a key as ssl-server. That is, the key is used by the SSL server to set up an SSL session.

-

Views

PKI domain view

Default Level

2: Configuration level

Usage Guidelines

To improve certificate security, you can add the usage information of a key to the certificate request packet sent from the device to the CA server.

After receiving the certificate request packet, the CA server verifies the packet. If the packet is valid, the CA server generates a digital certificate carrying the usage information of the key.

For example, when setting up an SSL session, the SSL client adds digital signature and encrypts key by using the certificate. After you specify the usage of a key as ssl-client by using the usage ssl-client command, the certificate generated by the CA server carries the usage information, including a digital signature and encrypted key. If you use this key to encrypt data, the key will be invalid.

Example

# Specify the usage of a key as ssl-client.

<Huawei> system-view
[Huawei] pki realm abc
[Huawei-pki-realm-abc] usage ssl-client
Related Topics

validate time disable

Function

The validate time disable command disables the device from verifying the time during PKI certificate verification.

The undo validate time disable command restores the default configuration.

By default, the device verifies the time during PKI certificate verification.

NOTE:

Only AR503GW-LcM7 and AR503GW-LM7 support this command.

Format

validate time disable

undo validate time disable

Parameters

None

Views

PKI domain view

Default Level

2: Configuration level

Usage Guidelines

The device verifies the time during PKI certificate verification. If the time does not match, the PKI certificate verification fails. If the device does not support the clock synchronization function and restarts due to causes such as power-off, the system time is restored to the factory setting and an error occurs in PKI certificate verification. To avoid this problem, the administrator can run this command to disable the device from verifying the time during PKI certificate verification.

Example

# Disable the device from verifying the time during PKI certificate verification in the PKI domain www.

<Huawei> system-view  
[Huawei] pki realm www 
[Huawei-pki-realm-www] validate time disable

verisign usage-extension

Function

The verisign usage-extension command configures the certificate enrollment request carrying the key usage option defined by VeriSign.

The undo verisign usage-extension command restores the default configuration.

By default, the certificate enrollment request does not carry the key usage option defined by VeriSign.

Format

verisign usage-extension

undo verisign usage-extension

Parameters

None

Views

PKI domain view

Default Level

2: Configuration level

Usage Guidelines

Some CA servers require that the received certificate enrollment request contain the key usage option defined by VeriSign. This option is used to describe the usage of the key. When the device connects to such a CA server, use this command to configure the certificate enrollment request carrying the key usage option defined by VeriSign.

Example

# Configure the certificate enrollment request carrying the key usage option defined by VeriSign.

<Huawei> system-view
[Huawei] pki realm abc
[Huawei-pki-realm-abc] verisign usage-extension

vpn-instance (PKI domain view)

Function

The vpn-instance command adds a PKI domain to a specified VPN.

The undo vpn-instance command restores the default setting.

By default, a PKI domain does not belong to any VPN.

Format

vpn-instance vpn-instance-name

undo vpn-instance vpn-instance-name

Parameters

Parameter

Description

Value

vpn-instance-name

Specifies the VPN to which the PKI domain belongs.

The value is a string of 1 to 31 case-sensitive characters without spaces.

Views

PKI domain view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The device needs to communicate with the CA, OCSP, or SCEP server to obtain and verify certificates. When the CA, OCSP, or SECP server is in a VPN, add the PKI domain to the same VPN.

Prerequisites

  1. A VPN instance has been created using the ip vpn-instance command.
  2. The RD is configured for the VPN instance address family using the route-distinguisher command.

Example

# Add the PKI domain to the VPN named vrf1.

<Huawei> system-view
[Huawei] ip vpn-instance vrf1
[Huawei-vpn-instance-vrf1] route-distinguisher 22:1
[Huawei-vpn-instance-vrf1-af-ipv4] quit
[Huawei-vpn-instance-vrf1] quit
[Huawei] pki realm abc
[Huawei-pki-realm-abc] vpn-instance vrf1
Related Topics
Translation
Download
Updated: 2019-05-29

Document ID: EDOC1000097293

Views: 99416

Downloads: 131

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next